This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Manage DNS | |
| // Create a private route53 zone | |
| resource "aws_route53_zone" "this" { | |
| name = "${var.dns_zone_name}" | |
| vpc_id = "${var.vpc_id}" | |
| } | |
| // Create a dns record for the jenkins master private ip | |
| resource "aws_route53_record" "master" { | |
| zone_id = "${aws_route53_zone.this.id}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create an instance | |
| resource "google_compute_instance" "my-instance" { | |
| project = var.project_id | |
| name = "my-instance-01" | |
| machine_type = "e2-standard-2" | |
| zone = var.zone | |
| boot_disk { | |
| initialize_params { | |
| image = "debian-cloud/debian-9" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Allow incoming access to our instance via | |
| ## port 22, from the IAP servers | |
| resource "google_compute_firewall" "inbound-ip-ssh" { | |
| name = "allow-incoming-ssh-from-iap" | |
| project = var.project_id | |
| network = "default" | |
| direction = "INGRESS" | |
| allow { | |
| protocol = "tcp" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Creates an Access Level | |
| # This access level will be used in | |
| # a conditional IAM policy to restrict access | |
| # to authorised users coming from authorised networks | |
| resource "google_access_context_manager_access_level" "access-level" { | |
| parent = "accessPolicies/<access-policy-id>" | |
| name = "accessPolicies/<access-policy-id>/accessLevels/<my_access_level_name>" | |
| title = "secure-iap-access-level" | |
| description = "This access level lists the authorised network addresses" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a conditional IAM rule that grants access to establish an IAP tunnel | |
| # IF the user is connecting from an authorised network defined in the access | |
| # list | |
| resource "google_iap_tunnel_iam_member" "allow-remote-access-to-iap" { | |
| project = "<your-project-id>" | |
| role = "roles/iap.tunnelResourceAccessor" | |
| member = "user:calum.hunter@the.cloud" | |
| condition { | |
| title = "allow_remote_access_to_iap" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the required roles to access the VM | |
| locals { | |
| compute_roles = [ | |
| "roles/compute.viewer", | |
| "roles/compute.osLogin", | |
| ] | |
| } | |
| # Apply the roles to a user account | |
| resource "google_project_iam_member" "assign-roles" { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Allow incoming access to our instance via | |
| ## port 22, from the IAP servers | |
| resource "google_compute_firewall" "inbound-ip-ssh" { | |
| name = "allow-incoming-access-from-iap" | |
| project = var.project_id | |
| network = "default" | |
| direction = "INGRESS" | |
| allow { | |
| protocol = "tcp" |
OlderNewer